Labels

Friday, January 10, 2014

The Spooky Science of Data Mining

The Omnivore got an email from Amazon: Chase Fraud Alert--it asked if I'd made a purchase from Publix supermarket identified by a single digit number (not an address).

There are two Publix supermarkets within about 5 minutes of The Omnivore's house and they are the preferred location for omnivorous shopping. I certainly might have. I looked over the email, scanning it for signs of phishing. They used my proper name (a good sign). They had the last 4 digits of my card (a good sign). The English was all perfect.

I examined the shopping time: TODAY. I certainly hadn't been to the supermarket today. I clicked NO and the email indicated they'd call me later to check in.

They did. There was another charge--also around 50 dollars (but not exactly) at Walgreen's. The Omnivore lives next to a Walgreen's so ... maybe--but, again, not on that date.

Both charges were denied. The card was canceled. All's good.

I asked "What exactly happened? Where were these charges made?"

I was told: "The card was cloned" meaning a physical card was imprinted with my number and used in person--and they were made in Miami. Miami is about 36 minutes away from my home. I regularly travel further than that (albeit north) on a weekly basis.

These are the kinds of places I shop.

The amounts are not unusual.

The location is not far from me--nor is it that I never go to Miami.

How the heck did Chase decide to question these charges?

How Did Chase Decide About 100 Bucks of Groceries Might Be Fraudulent?
I don't know the answer for sure but I have a very good guess: Big Data. The practice of data mining can produce fairly creepy results. Twitter knows when you're going to get sick (maybe before you do). Target knows if you're pregnant ... and if they think you're spending enough money with them.
That's a LOT of Predictive Behavior
Facebook tracks stuff you type in--but decide not to post. And so on.

In this case something about the behavior met a pattern that triggered a Fraud Alert and the system sprang into action ... accurately. What was it? There's a Wallgreen's a block away--it's probably the same one (they were using a physical card so it would make sense to hit two places close by).

What Do Credit Cards Agencies Know?
Well, it's unlikely that they know the specific items that were purchased. Credit Card transactions come with a Merchant Category Code (MCC) and when, where, and how much was spent. So if the guy was buying, I don't know, tons of lobster (a rare purchase for me) that by itself wouldn't trigger it.

The stores themselves do know know what you buy and some of them use it (especially if the store offers its own lines of credit: people who buy premium wild birdseed are bad credit risks!).

The best guess is that something about the "where" and "when" (a time when I am at work) was enough to trigger it.

What About Profiling?
If the credit card company knowing I'm supposed to be at work 29.5 miles away from where the card is being used is kinda creepy, what else might they and insurance companies know? It turns out that they spend a good amount of work trying to "profile" you--and the profiles? They are not pretty.

For example, a credit card company will know how often you check your balance--and when. If it's in the middle of the night? Maybe you're up late worried. They'll see changes in behavior (using the card suddenly to buy groceries when you usually don't). These things will trigger different kinds of alerts (maybe he's not gonna pay us!)

But the worst thing is when you wind up on a list.

That link is to Beach List Direct which sells lists of customers for direct marketing. Some of the categories are good ones:

  • Wealthy Seasoned Travelers
  • Investors with Wealth
  • Or maybe "Magnificent Milestones" (you're getting married!)
But do you want to be on:
Indeed, some of these agencies seem to be directly marketing to suckers:

For example, the New York Times has reported on telemarketing criminals that succeeded in raiding the banking account of a 92-year old Army veteran. Data broker InfoUSA sold his name and contact information to a scam artist. As detailed in the Times’ account, InfoUSA advertised lists such as “Elderly Opportunity Seekers,” described as older people “looking for ways to make money;” “Suffering Seniors,” older people with cancer or Alzheimers disease; and “Oldies but Goodies,” people described as “gullible . . . [who] want to believe their luck can change.”
Good going InfoUSA. So clearly this data-mining is a mixed blessing.

The Scary Stuff
So here's the big question: companies like Amazon and Google have far more insight into my life than just a Credit Card company (although I have an Amazon card as well so they have that too). I'm surprised Google isn't in the credit business already (Google Wallet notwithstanding).

A company that can read my email can know a lot about me. Here's a visualization from Immersion, a MIT demo that visualizes your email relationships. Unfortunately I'm posting it here WITHOUT the identifying information: it's just too personal. Each dot represents a person I email with. The larger the dot, the more emails. Lines indicate a lot of connection and, possibly, who introduced who to me.
That Big Dot In The Middle I Transact Most With? NOT My Wife ...
Email, combined with buying habits and browser history would probably give you a better view into my personality than I even afford myself. Looking at who is in my interaction cloud I realized some things I hadn't consciously known (who my top-level collaborators were, and so on).

Already these online pictures of us are being used behind the scenes in job interviews, police investigations, and, in the very near future, I'm sure, political campaigns.

Maybe when the next generation of candidates start finding their own online-lives being data-mined for use against them we'll see some additional privacy laws.


4 comments:

  1. I think the real opportunity for consumers and the big FI's is to take all of this data, predictive power, etc. and create new products and services around them that in turn drive new revenue streams. What is a banks' core competency? I would argue that near the top would be fraud and risk mgmt. Yet this capability is so under-monetized (or only in one direction) to make me scratch my head why no one has yet gone into a bold new direction such as this. Once there is real can't-live-without value for consumers from all of this data, the privacy debate will shift, as folks will opt-in to the products and services that help make their lives better. Invasive? Yes. But desired? That's the million (billion) dollar question.

    ReplyDelete
    Replies
    1. People are terrified of this stuff. If you use it for any reason except to protect them, they're going to demand that the company be put out of business.

      -- The Blue Dot

      Delete
    2. From what I can tell, the idea of super-tailored products is harder to implement on the back end (the provider) than the front end (the consumer). There's also the problem that where there is a personalized deal (such as buying a car), a potential common-case result is that the customer suspects they're getting screwed (as many people do when they buy a car).

      The problem with Big Data products is that they're *advertising* the asymmetrical information advantage the company has--which is a bad way to start off ...

      Me, I'd just like to know which category I fall into on those lists ...

      Delete
  2. And say hi to the blue dot for me.

    ReplyDelete